Yea, certificates are a pain. I have my own website and would love to use HTTPS, but getting a certificate that browsers acknowledge is hard; and it is serving static content only, aside from the control panel itself, so it's not worth the bother. Let's Encrypt does sound pretty good, but then I'd imagine Mozilla should start thinking about whether to try and deprecate http only after it's launched.

ISP's must NEVER have keys

ISP's have gotten so malicious that giving them SSL keys would be the worst possible idea. I don't want them running caching proxies anyway, I found that that can force terminating a connection and making a new one to see modifications to a page. The counter to that right now is HTTPS, I've found that effective against both carrier caching and carriers attempting to serve degraded, compressed images. The latter can be blocked by NoScript, the former cannot be as it does not involve client-side code. If any SSH keys are given to ISP's we'll need to be able to blacklist every key they are suspected of having. I would tolerate dial-up speeds, capped from the first byte , even charged for by the kilobyte, long before I would tolerate carriers tampering with my data. I have never once seen a carrier-injected ad due to my aggressive countermeasures, I even have my own router's URL 127.0.0.1'ed out in /etc/hosts, if I need to connect to it's admin page I use the IP address.

Right now we have Verizon's tracking headers (at least we stopped Turn), against which HTTPS works and Torbrowser offers 100% protection, T-Mobiles "web guard" proxy, and the known fact that most ISP's keep and presumably sell detailed lists of sites visited. We are rapidly approaching a future where everyone will have to use Tor for all online activity, and in order to handle the bandwidth Tor will have to require every connection to serve as an exit node. This will slow down the Internet as whole by a factor of three but may by the only defense against carriers who are so deeply malicious they make the NSA look like a joke.

There are 2 different security issues that HTTPS addresses.
1. Authentication. You received what the website actually sent.
2. Privacy. Only you know what the website sent.

For many websites all that is needed/wanted is authentication. By switching to full blown HTTPS, you get both security features, but for somethings (static images), all you really want is authentication. For this type of content, HTTPS providing privacy is actually bad because breaks things like transparent proxies.

In the end, I would rather see everything delivered via HTTPS, but I think the best solution would be to have everything to default to fully secure and have the website selectively mark content as authentication only.

That is exactly what he is talking about. That media content is often cached on ISP level.

letsencrypt

When letsencrypt is functional, https should become pretty convenient.

If you buy webspace, the hoster will have your adress already.
If it is something like wordpress or blogger, some platform, its hoster will get a wildcard cert for all subdomains and you can still register with a trash-mail like right now.

Certificates can also be domainvalidated so all that is checked is if you can receive mail for that domain.
Not much difference to what we have right now.

Or, you know, you could use encryption without the authoritative CA. You know like the encryption that Firefox now tries to default to if full SSL isn't in place?

What does TLS have to do with "provide data to the government"?
There are CAs that check only if you are able to receive mails for that domain you want a certificate for and if you purchase webspace your name and adress are usually already known to the hoster.

If it is a blogging platform, the blog hoster will get the cert for the domain and you still only register with an anonymous mailadress.
Don't see your problem.

Best of luck caching anything on the Internet today. Almost all content is dynamic.

I ran transparent caching for years and when it came down under 12% hit rate (*NOT* including video), I just gave up.

Seems like the excuse of a lifetime to me for NSA and friends